CVE-2026-4326

HIGH 8.8

Vertex Addons for Elementor <= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation and Activation via 'afeb_activate_required_plugins'

CVSS Score

8.8

EPSS Score

0.1%

EPSS Percentile

25th

The Vertex Addons for Elementor plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.6.4. This is due to improper authorization enforcement in the activate_required_plugins() function. Specifically, the current_user_can('install_plugins') capability check does not terminate execution when it fails — it only sets an error message variable while allowing the plugin installation and activation code to execute. The error response is only sent after the installation and activation have already completed. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins from the WordPress.

CWE	CWE-862
Vendor	webilia
Product	vertex addons for elementor
Published	Apr 9, 2026
Last Updated	Apr 9, 2026

Stay Ahead of the Next One

Get instant alerts for webilia vertex addons for elementor

Be the first to know when new high vulnerabilities affecting webilia vertex addons for elementor are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

webilia / Vertex Addons for Elementor

0 ≤ 1.6.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

Credits

Athiwat Tiprasaharn